Authentication and CGI

chrispoole has asked for the wisdom of the Perl Monks concerning the following question:

I'm writing a simple web-based expense manager which I want to be multi-user, with users able to set up accounts by themselves.

I need to set up a login/pass system with a vaguely secure method. I've been researching, looking at examples of code, and I'm still not certain which direction I should take.

Anyone working with multi-user sites got any ideas of best approach?

Is .htaccess the best way of restricting users to a certain directory? And how does one work encrypting and de-encryting passwords with perl?

Tah
Chris

Comment on Authentication and CGI

Replies are listed 'Best First'.
Re: Authentication and CGI by flocto (Pilgrim) on Mar 24, 2002 at 02:25 UTC
I think that HTTP-Authentication is the way to go. That's how I set up all my sites and it's working really well. You don't even have to know how the authentication algorithm works, since all you have to do is write a small CGI wrapper around `htpasswd` so people can add themselves. After successfull authentication you can find the username in the REMOTE_USER environment variable. But, passwords will be submited unencripted, so if you make something important you might want to use some encrypted, like an SSL server or MD5-Digest authentication. Doing HTTP authentication in perl isn't hard either: You have to send an header with the status 403 (Unauthorized) which will pop up the username/password dialog on the client side. Then you have to look for the "Http-authentication" (or something like this) header field which contains (BASE64 encoded) "username:password". There you go :) -octo-	[reply] [d/l]
Re: Authentication and CGI by dws (Chancellor) on Mar 24, 2002 at 05:29 UTC
Is .htaccess the best way of restricting users to a certain directory? In general, yes. However, if the only thing in the directory is your application's .cgi, you have the option of protecting it with a .htaccess, or via application logic (e.g., a cookie-based login scheme). merlyn has a column that covers the basics of using cookies for login. A scheme based on .htaccess (or the equivalent in IIS) has the virtue of being relatively easy to set up, though you do have to jump through setuid hoops update passwords via the web. An application-level scheme has the virtue of flexibility. It allows you to easily set up an n>1 level permission scheme for your users (e.g., distinguishing normal users from admins) without having to spread your application across multiple directories. Either scheme is vaguely secure. Both will fail if someone is sniffing packets, since both send passwords in the clear.	[reply]
Re: Authentication and CGI by JayBonci (Curate) on Mar 24, 2002 at 10:53 UTC
If you're running under apache, Apache::Htaccess is good, as I've worked with it a couple of times before. Very convenient (even for small time usage). There's information available on the .htaccess module at CPAN. Good luck with the project! --jb	[reply]
Re: Authentication and CGI by DigitalKitty (Parson) on Mar 24, 2002 at 04:46 UTC
Hi Chris. .htaccess is a very good method but if you would like a code sample, I would process the form data with CGI qw(:standard ) then just analyze each field name with param("name") or param("password"). To check for a blank field, I would use print redirect("/file.html") unless param("name"); This way, the user will be redirected if they have neglected to input the requested info. -DigitalKitty	[reply]
Re: Authentication and CGI by chrispoole (Initiate) on Mar 24, 2002 at 13:04 UTC
Many thanks, your helps been invaluable :)	[reply]